ACK blasted spammer has gotten me blacklisted... how to fix? and fix?

I've been hit by a jerk who is spamming an address that I have an ispconfig3 DNS entry for - but NEVER set up any email boxes...
but the RCPT to field has me in turn spamming yahoo address and I've been blacklisted by them....
from maillog
---snip---
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD8431B1216: from=<[email protected]>, size=1904, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD9071B2BDC: from=<[email protected]>, size=1789, nrcpt=1
and I get 'rate limited' messages in my messages ....
later on:
Jan 3 06:23:32 ns9 postfix/smtp[29668]: CA5471B3948: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=164335, delays=164334/0/0.67/0.3, dsn=4.7.1, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.1 [TS03] All messages from 74.96.241.34 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/errors/421-ts03.html (in reply to MAIL FROM command))
---snip---
and the RCPT to messages are blasting yahoo.

at least for now I turned OFF the DNS for the domain as I dont have a website on it its just a placeholder.

anything I can do to prevent this? surely mail that has NO email box on ispconfig should be rejected out of hand - and its not...

Check the content of the spam email with the postcat command to find out if the email has been sent by an authenticated account or by a hacked website.

a) If it has been sent by an authenticated account, then change the password of that account.
b) If this has been sent trough a hacked website, then you have to clean the website and remove the malware. Close the hole in the website by installing updates.

Finally remove the spam emails from mailqueue with the postsuper command.

notice that we see a TON of emails all FROM [email protected]
for example C42071AEFB7 from paullette (at the top) then in the moddle goes to [email protected]
but mtanterominerals has NO valid users so why on earth would ANY of these get relayed?

notice that we see a TON of emails all FROM [email protected]
for example C42071AEFB7 from paullette (at the top) then in the moddle goes to [email protected]
but mtanterominerals has NO valid users so why on earth would ANY of these get relayed?

Click to expand...

The from and to addresses don't matter when the emails were sent ba a hacked website and your server is not relaying these mails, he is the origin sender when a site got hacked. If you deleted the mails from the mail queue then you can try to find the hacked scripts with a malware scanner like maldetect or you use the free trial from ispprotect.com to scan your server.

installed ispprotrect. alas no free trial for me (my laptop rebooted during scan).
but I paid (of course!) and I"m seeing a number of malware detected.
some I'm positive are false positives (in cgi installables from 2003!) - but a number seem legit.
now from what I can tell the malware scanner does not clean, right?
and one of the ones I'm suspicious of has {HEX}r2h.malware.blue.44
what IS that? the php files look ok to the eye. how do I confirm?
and whats cleaning process?
thanks

The scanner does not rename / move any detected files. And it´s not a good idea to implement such an option.
Check the php-File. But I don´t think, that {HEX}r2h.malware.blue.44 is a false-positive.
Cleaning process: check and remove the files.

As Florian mentioned, automatic cleanup is not a good idea as this will likely break your cms and therefor we did not implement that.

There are 2 ways a file gets infected:

a) A hacker inserts a new file that contains only hacked code, in this case you can delete the whole file.

b) A hacker injects code into an existing file, in this case you have to clean that file (remove only the hacked code part) or replace that file with a known good version (e.g. download the sources of that cms system from its vendor, unpack it and upload a new and clean copy of the hacked file). In most cases, the hacked code is inserted at the beginning or end of a file and you can see that it looks strange when compared to the other parts of the file. But it needs a bit of PHP knowledge to differntiate between good and pad code segments, so using the approach to upload a new clean file might be easier if you have no good php knowledge.

also you keep flagging this file as infected. I'm pretty sure its not has not been changed in many years its a cgi setup program.
but I cant upload it you can get it fromwww.technomages.com/asetup.cgx (renamed cgx to cgi so its wont try and run).
download it tell me why its giving a false positive
and what do do about it.